email verification flow updated

backend/middleware/rateLimiter.js

@@ -162,6 +162,18 @@ const authRateLimiters = {
     legacyHeaders: false,
   }),
 
+  // Email verification rate limiter - protect against brute force on 6-digit codes
+  emailVerification: rateLimit({
+    windowMs: 15 * 60 * 1000, // 15 minutes
+    max: 10, // 10 verification attempts per 15 minutes per IP
+    message: {
+      error: "Too many verification attempts. Please try again later.",
+      retryAfter: 900,
+    },
+    standardHeaders: true,
+    legacyHeaders: false,
+  }),
+
   // General API rate limiter
   general: rateLimit({
     windowMs: 60 * 1000, // 1 minute
@@ -186,6 +198,7 @@ module.exports = {
   registerLimiter: authRateLimiters.register,
   passwordResetLimiter: authRateLimiters.passwordReset,
   alphaCodeValidationLimiter: authRateLimiters.alphaCodeValidation,
+  emailVerificationLimiter: authRateLimiters.emailVerification,
   generalLimiter: authRateLimiters.general,
 
   // Burst protection